Information Security Governance Framework of Malaysia Public Sector

Amri Jamil, Zawiyah Mohammad Yusof


Information is one of the key assets in the organization other than employees and physical assets. Information should be protected so as not to be exposed to unauthorized individuals, especially competitors and spies. Previous studies have found that Information Security Governance (ISG) is divided into two that is technical security because of the use of information and communication technology (ICT) and non-technical information security. Implementation of ISG in the public sector in Malaysia is aimed at protecting information from technical aspects only without giving priority to information security issues that are not technical in nature, particularly in terms of content. Data analysis found that the public sector did not have guidelines on ISG in a single and integrated document form, making it difficult to implement the initiative. This study analyzes the ISG policy of Malaysian public sector agencies with the objective of developing a comprehensive ISG framework. The study employed a qualitative approach which comprises of document content analysis techniques and interviews with senior Malaysian public sector officials. The analysis of the study found that the Malaysian public sector already has a framework for governance of information security. However, the ISG framework is found in several separate documents by using different governance approaches between each one.


information security, information security governance, information security governance framework

Full Text:



Ahmad, A. M. 2010. Information security governance in Saudi organizations: an empirical study. Information Management & Computer Security 18(4):226-276.

Creswell, J.W. 2014. Research Design: Qualitative, Quantitative and Mixed Methods Approaches 4th Edition. California: Sage Publications Asia-Pasific Pte. Ltd.

Connaway, L.S, & Powell, R.R. 2010. Basic Research Methods for Librarians 5th Edition. California: Greenwood Publishing Group.

Ernst & Young. 2013. Fighting to close the gap. Year 2012 Global Information Security Survey. London: EYGM Limited.

Fadillah, Y., Noraidah, S. & Juhana, S. 2003. A Framework of Knowledge Sharing through ICT for Teachers in Malaysia. International Conference on Electrical Engineering and Informatics. Bandung, Indonesia, 17-19 Julai. 2011.

Hovav, A., & D’Arcy, J. 2003. The impact of denial-of-service attack announcements on the market value of firms. Risk Management & Insurance Review 6(2):97-121.

ISO/IEC 27001. 2005. Information Technology – Security Techniques – Information Security Management Systems – Requirements, International Organization for Standardization. Geneva: ISO copyright office.

Jabatan Perdana Menteri.1985. Arahan Keselamatan. Kuala Lumpur: Pejabat Ketua Pegawai Keselamatan Kerajaan.

Kritzingera, E. & Smith, E. 2008. Information security management: An information security retrieval and awareness model for industry. Computers & Security 27 (5-6): 224–231.

Lin, H. 2007. Knowledge Sharing and Firm Innovation Capability: An Empirical Study. International Journal of Manpower 28(3/4): 315 – 332.

Malaysia. 2011. Rekod Elektronik dan Akta Arkib Negara. Kuala Lumpur: Arkib Negara Malaysia.

Mohd Bakhari, I., Zawiyah, M. Y., Kamsuriah, A. & Maryati, M. Y. 2013. Pengurusan dan Perkongsian Pengetahuan Sektor Awam. Bangi: Universiti Kebangsaan Malaysia.

Mokmin, B., Zawiyah M.Y. & Nor Azan M.Z. 2013. Dasar Maklumat Nasional di Malaysia. Bangi: Universiti Kebangsaan Malaysia.

Ohki, E., Harada, Y., Kawaguchi, S., Shiozaki, T. & Kagaua, T. 2009. Information Security Governance Framework. WISG '09 Proceedings of the first ACM workshop on Information security governance. Chicago, USA, 13 November.

Posthumus, S., & Solms, R. 2004. A framework for the governance of information security. Computers & Security 23(8): 638-646.

Roux, Y.L. 2007. Information Security Governance for Executive Management. ISSE/SECURE 2007 Securing Electronic Business Processes :136-146.

Silverman, D. 2011. Interpreting Qualitative Data 4th Edition. California: SAGE Publication Ltd.

Solms, B. 2001. Information Security – A Multidimensional Discipline. Computers & Security 20(6): 504-508.

Solms, R., Thomson, K.L. & Maninjwa, M. 2011. Information security governance control through comprehensive policy architectures. Information Security South Africa (ISSA). University of Pretoria, University of South Africa & University of Johannesburg, Johannesburg, 15-17

Solms, S.H., & Solms, S.R. 2009. Information Security Governance. New York: Springer.

Tassabehji, R. 2005. Information security threats: From evolution to prominence. Las Vegas: Net Industries, [2 April 2014].

Suhazimah, D. & Ali, H.Z. 2012. Assessment of information security maturity: An exploration study of Malaysian public service organizations. Journal of Systems and Information Technology 14(1): 23-57.

Unit Pemodenan Tadbiran dan Perancangan Pengurusan Malaysia (MAMPU). 2016. Rangka Kerja Keselamatan Siber Sektor Awam (RAKKSSA). Putrajaya: Jabatan Perdana Menteri.

Unit Pemodenan Tadbiran dan Perancangan Pengurusan Malaysia. 2000. Pekeliling Am Bil. 3. Rangka Dasar Keselamatan Teknologi Maklumat dan Komunikasi Kerajaan. Putrajaya: Unit Pemodenan Tadbiran dan Perancangan Pengurusan Malaysia. Putrajaya: Jabatan Perdana Menteri.

Umi, A. M., & Zawiyah, M.Y. 2009. Electronic records management in the Malaysian public sector: the existence of policy. Records Management Journal 19(3): 231-244.

Veiga, A.D. & Eloff, J.H.P. 2010. A framework and assessment instrument for information security culture. Computers & Security 29(2): 196-207.

Webb, J. 2008. Strategic Information Management: A Practitioner’s Guide. Oxford: Chandos Publishing.

Warkentin, M. & Johnson, A.C. 2006. Information Security Policies and Practices. New York: M.E. Sharpe.

Zawiyah, M. Y., & Robert, W. C. 2005. Issues in records management. Bangi: Universiti Kebangsaan Malaysia.


  • There are currently no refbacks.

e-ISSN : 2289-2192

For any inquiry regarding our journal please contact our editorial board by email